Hacking on Empty

Shellshock is going around but there is not so much commentary about why it isn’t so shocking to people who have been around a while. Here’s some sage advice from a couple of legends in the security field.  Simson Garfinkel and Gene Spafford wrote Practical UNIX and Internet Security 20 years ago. Even then, it was well known that shells and untrusted input were bad news.  From the second edition (1996.) Emphasis is mine.

18.2.3.2 Testing is not enough!

Many programming languages, including C, ksh, sh, csh, and Perl, provide the means to spawn subprocesses. You should try to avoid using these features when writing CGI scripts. If you must spawn a subprocess, avoid passing through any strings that are provided by the user. If you must pass strings from the user to the subprocess, be sure that it does not pass shell meta characters including the `$|;>*<&> characters.

23.2 Tips on Avoiding Security-related Bugs

Check anything supplied by the user for shell meta characters if the user-supplied input is passed on to another program, written into a file, or used as a filename. In general, checking for good characters is safer than checking for a set of “bad characters” and is not that restrictive in most situations.

Shellshock is just as much an error by the developers of calling programs as it is a bug in the shell. Sure, the shell shouldn’t execute random stuff placed after a function definition in an environment variable but you probably don’t want random people on the internet defining functions in the shell you’re using to execute stuff, either.